Does your business deal with protected health information (PHI) and other health data? If the answer is yes, then your company is subject to HIPAA compliance regulations – meaning a HIPAA compliant file sharing solution must be sought.
Utilizing a HIPAA compliant file sharing service allows healthcare organizations to share electronic files and messages with their patients, colleagues and partners securely and in full compliance with the HIPAA Security Rule.
This is crucial. PHI includes health records, lab results, insurance information, bill and payment information and anything else that may contain sensitive files – and it is the legal duty of HIPAA covered entities to protect it all.
Failure to do so can result in hefty fines from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). Penalties range from $100 to $50,000 per individual violation with a maximum penalty of $1.5 million per calendar year.
The OCR has already collected over $5.5 million for violations in 2021 – and there are countless other cases currently under investigation which you can view at the OCR’s Breach Portal or “Wall of Shame”.
(Image source: compliancy-group.com)
HIPAA Requirements for File Sharing
HIPAA has strict requirements regarding information security and sharing files. Crucially, files must be encrypted to NIST Standards both at rest and in transit to ensure those files are indecipherable and unusable should a cybersecurity breach occur.
In addition, access management controls and multi-factor authentication must be in place to ensure only authorized individuals are accessing files and PHI data.
Unfortunately, while many popular solution providers offer secure file sharing and cloud file storage, not all provide HIPAA compliant file document sharing by design – and some are not HIPAA compliant at all.
As such, it is crucial that you do your homework before selecting a file sharing service. Below are five important considerations to consider as you begin your search for a HIPAA compliant file sharing solution.
What HIPAA Compliant Messaging App can you use?
But with all the different messaging apps out there, it’s tough to know which ones are HIPAA compliant.
Here are five messaging app options to consider.
- Is Dropbox HIPAA Compliant?
- Is Google Drive HIPAA Compliant?
- Is Gmail HIPAA Compliant?
- Is WeTransfer HIPAA Compliant?
- Is WhatsApp HIPAA compliant?
Is Dropbox HIPAA Compliant?
While it is possible to use Dropbox for file sharing and avoid HIPAA violations, be aware that the software is not HIPAA compliant straight out of the box.
For starters, if you want to use Dropbox, you must have a business associate agreement (BAA) in place with the company. A BAA is a contract between a HIPAA covered entity and a business associate. The contract details the respective roles and responsibilities of each organization with regards to the safeguarding of PHI data.
Importantly, Dropbox will not sign a BAA with users of the free Dropbox service. This means that such users cannot use Dropbox in a HIPAA compliant manner, as no file sharing service is HIPAA compliant until a BAA has been signed. Only Dropbox Business customers can obtain a BAA from the company.
However, even if you have a signed BAA with Dropbox, your organization can still fall foul of HIPAA violations if the system is not configured correctly.
To do so, you will need to:
- Configure sharing permissions
- Disable permanent deletions
- Monitor account access and activity continuously
While Dropbox says it “will provide a mapping of our internal practices and recommendations for customers who are looking to meet the requirements of the HIPAA/HITECH Security and Privacy Rules with Dropbox Business” upon request, it is still down to you to configure and use the system in a HIPAA compliant fashion.
In addition, Dropbox cautions that users beware of third-party apps.
All in all, while HIPAA compliant file sharing with Dropbox is possible, doing so will require great care and attention – and the onus falls upon you to configure the system, monitor activity and use it correctly.
Is Google Drive HIPAA Compliant?
Once again, we have a “yes and no” scenario.
Google Drive is not HIPAA compliant by default. However, organizations can configure its settings for HIPAA compliance.
This isn’t an easy task. In fact, Google has released a 26-page guide to help health care organizations get to grips with securing the solution in-line with HIPAA.
To give you a quick rundown, here are a few things you will need to do to make Google Drive HIPAA compliant:
- Obtain a BAA from Google
- Implement access controls
- Configure multi-factor authentication
- Disable file syncing and link sharing
- Assign unique passwords for every user
- Set document visibility to private
- Turn off offline storage
- Disable third-party apps and add-ons
- Regularly audit account access and activity
- Implement backups of all Google Drive data
- Train staff on how to use Google Drive in a HIPAA compliant fashion
Is Gmail HIPAA Compliant?
Yet again, the answer isn’t cut and dry.
Gmail is not automatically HIPAA compliant – but you can implement additional security measures and encryption tools yourself that will help you protect PHI sent via Gmail.
Gmail provides controls to help users ensure that messages and attachments are only shared with the intended recipients – keeping users in line with the HIPAA Privacy Rule. So long as these are configured correctly, then the Privacy Rule should not be violated.
When it comes to the Security Rule, however, further action is needed. Like the vast majority of generalist email services, Gmail does not encrypt emails or their attachments by default. This means that securing sensitive data and files falls to you as the user.
While Google will sign a BAA and secure data stored on the company’s servers, this does not include end-to-end email encryption. This means HIPAA compliant third-party email encryption tools must be utilized in order to bring Gmail in line with HIPAA requirements.
So, it is possible to use Gmail in a HIPAA compliant fashion – but you must take responsibility for configuring the system correctly and implement the necessary encryption tools.
Is WeTransfer HIPAA Compliant?
Finally, we can give you a plain and simple answer.
As WeTransfer explains on its website: “Are you HIPAA compliant? We’re not. […] We have a global audience to cater to and it is proven to be quite difficult to make exceptions on a country-level. Since we are not bound by US laws, we aren’t obliged to comply with HIPAA regulations.”
So, there you are. WeTransfer cannot be used for HIPAA compliant file sharing. End of story.
Is WhatsApp HIPAA compliant?
WhatsApp cannot be used to transmit PHI because it is not HIPAA compliant. The lack of technical safeguards means that sensitive information can potentially be intercepted, which is a big no-no for healthcare providers.
While WhatsApp is a wonderful way to share basic information, it is important to remember that it cannot be used to communicate PHI (Protected Health Information).
HIPAA Compliant File Sharing with Central Data Storage
What’s the easiest way to stay HIPAA compliant when sending PHI via computers and mobile devices?
Simple – utilize the services of a specialist HIPAA compliant file sharing provider.
At Central Data Storage, all of our products have been purposefully built to keep your PHI safe and secure in full compliance with HIPAA.
Our Encrypted Sharing solution encrypts not only email communications, but instant messaging communications and any files attached to those messages as well.
We sign BAAs with all of our clients and are approved by third-party auditors as 100% compliant with HIPAA, HITECH, the EU’s GDPR, as well as State Laws.
More than just a software provider, at CDS we pride ourselves on working hand in hand with our clients to help them develop and implement policies, procedures and training programs so they can be sure their whole business is fully HIPAA compliant.
Want to learn more about our HIPAA compliant file sharing solutions? Talk to us today. Call 1-888-907-1227 or email firstname.lastname@example.org.